Samba : smb.conf

The smb.conf File

First, know the locations where you can find this file:

  • If you installed Samba during your base install, it’ll be at
    /etc/samba (or in some distros, /etc or /etc/samba.d).
  • If you install it afterwards, you’re installing it as a “local user,” which means it’ll be in

Any of these is fine; just know where it is on your machine.

Second, know the comment characters:

  • #
  • ;

Third, understand that it starts, stops, runs and handles errors from startup scripts in the System 5 runlevel folders, the /etc/rc.d directory tree.

  • Don’t let the complexity of this system confuse you; the actual scripts that are called live in
  • while the links that call (invoke) these scripts live in the runlevel tree:
    /etc/rc.d/rc[3-5].d/S35smb (note the usage in that regular expression)

Sections within smb.conf are labelled with an opening tag like this:


There is no closing tag.

Global options are important. You’ll always have to set some of these for even a default Samba installation to work. They include:

As usual, this term is a mess. I does mean “workgroup” in the Windows sense, but it also means “domain” in the Windows NT sense, or even “domain” in the Active Directory sense. You MUST set this one or all is for naught.

netbios name
This is exactly what it says: the Lan Manager NetBIOS name. You can set this here (and you should), or you can leave it blank (trouble) and Samba will attempt to derive it from the machine’s hostname. This means a hostname (fully qualified) like will (with luck) derive to “labhmaster.” (Good luck.)

server string
This sounds obscure, but actually it’s just the comment that appears along with the server name in a Network Neighborhood or My Network Places window. Use it. Choose a good description.

encrypt passwords
HERE BE DRAGONS. Do you have an ancient NT domain with a pre-SP3 NT4 server and Windows 95 or 98-first-edition clients? You’re stuck: you have to leave this set to “No” and pass clear-text passwords. Anyone who can access your subnet and monitor with a sniffer like Ethereal will be able to see them. Enough said?
Or do you have anything later? You MUST set this to “Yes” and pass encrypted passwords.
(There are workarounds. Don’t use them.)

Why is this a big deal? Because when you use unencrypted user names and passwords, your current Linux user name and password is used. It’s like you’re connecting as your (Linux) self – because you are. But if you use encrypted passwords, you are stuck maintaining a separate Samba user name and password, unless the admin (you) sets up Unix Password Sync, which has its own security issues.

What this really refers to is the Lan Manager Browse Master election process. The higher the number you choose, the higher the chance your Samba server will become the browse master – the server that maintains the list of computers, shares and printers that appears in Network Neighborhood/My Network Places. This is also contingent on:

preferred master
which will be either Yes or No. If it’s Yes, you’d better have oslevel set to a high number, because if it isn’t, your server will lose the election and basically pout about it. This setting refers to the election of the Local Master (think Workgroup), while the next setting:

domain master
refers to the same process in a true Windows domain. The same caveat applies. Short suggestion: leave these set to No.

hosts allow
This is where you can leave a security hole big enough to drive a truck through. If you leave this list blank, ANYONE can access your shares. (You’re not going to do that.)

Instead, you can specify:

  • a single host:
  • a whole network of clients:
    (note the leading dot)
    which means any host in can connect
  • a TCP/IP address:
    which allows only that host
  • a TCP/IP range:
    (note the trailing dot)
    which allows anyone on this subnet access

If you have more than one NIC, you can browse more than one subnet.
Generally, the format is:

where the first number specifies the NIC to allow browsing through, and the second is of course a subnet mask. See the Red Hat Linux Bible, Chapter 18.

The options are:

  • user
    This means you’re going to set up a user account for each user that will access the Samba server. This is initially the easiest, and long-term the highest-maintenance.
  • share
    Good for a print server, this option doesn’t require a user name and password. Everyone is “guest,” which is a very limited level of permission in terms of file access.
  • server
    Similar to the user option, you’ll need an account for each user. But in this case you’ve got more than one Samba server, and you’re getting user information from another server. This is rare.
  • domain
    Used with an NT domain. The Samba server gets user information from the domain controller.